From 18d5a26f74ea49ba0a059cfb942c4c8ac9956d3b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 12 May 2006 21:00:52 +0000 Subject: r15549: removing rhosts and 'hosts equiv' authentication features (This used to be commit d19dad88155f985f113c667b6bdad5a1b25eca18) --- source3/auth/auth_rhosts.c | 293 --------------------------------------------- 1 file changed, 293 deletions(-) delete mode 100644 source3/auth/auth_rhosts.c (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c deleted file mode 100644 index 23e276bc84..0000000000 --- a/source3/auth/auth_rhosts.c +++ /dev/null @@ -1,293 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Main SMB reply routines - Copyright (C) Andrew Tridgell 1992-1998 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_AUTH - -/**************************************************************************** - Create a struct samu - either by looking in the pdb, or by faking it up from - unix info. -****************************************************************************/ - -static NTSTATUS auth_get_sam_account(const char *user, struct samu **account) -{ - BOOL pdb_ret; - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; - - if ( !(*account = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - pdb_ret = pdb_getsampwnam(*account, user); - unbecome_root(); - - if (!pdb_ret) - { - struct passwd *pass; - - if ( !(pass = Get_Pwnam( user )) ) { - return NT_STATUS_NO_SUCH_USER; - } - - nt_status = samu_set_unix( *account, pass ); - } - - return nt_status; -} - -/**************************************************************************** - Read the a hosts.equiv or .rhosts file and check if it - allows this user from this machine. -****************************************************************************/ - -static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file) -{ - int plus_allowed = 1; - char *file_host; - char *file_user; - char **lines = file_lines_load(equiv_file, NULL,0); - int i; - - DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); - if (! lines) { - return False; - } - for (i=0; lines[i]; i++) { - char *buf = lines[i]; - trim_char(buf,' ',' '); - - if (buf[0] != '#' && buf[0] != '\n') { - BOOL is_group = False; - int plus = 1; - char *bp = buf; - - if (strcmp(buf, "NO_PLUS\n") == 0) { - DEBUG(6, ("check_user_equiv NO_PLUS\n")); - plus_allowed = 0; - } else { - if (buf[0] == '+') { - bp++; - if (*bp == '\n' && plus_allowed) { - /* a bare plus means everbody allowed */ - DEBUG(6, ("check_user_equiv everybody allowed\n")); - file_lines_free(lines); - return True; - } - } else if (buf[0] == '-') { - bp++; - plus = 0; - } - if (*bp == '@') { - is_group = True; - bp++; - } - file_host = strtok(bp, " \t\n"); - file_user = strtok(NULL, " \t\n"); - DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", - file_user ? file_user : "(null)" )); - - if (file_host && *file_host) { - BOOL host_ok = False; - -#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) - if (is_group) { - static char *mydomain = NULL; - if (!mydomain) { - yp_get_default_domain(&mydomain); - } - if (mydomain && innetgr(file_host,remote,user,mydomain)) { - host_ok = True; - } - } -#else - if (is_group) { - DEBUG(1,("Netgroups not configured\n")); - continue; - } -#endif - - /* is it this host */ - /* the fact that remote has come from a call of gethostbyaddr - * means that it may have the fully qualified domain name - * so we could look up the file version to get it into - * a canonical form, but I would rather just type it - * in full in the equiv file - */ - - if (!host_ok && !is_group && strequal(remote, file_host)) { - host_ok = True; - } - - if (!host_ok) { - continue; - } - - /* is it this user */ - if (file_user == 0 || strequal(user, file_user)) { - DEBUG(5, ("check_user_equiv matched %s%s %s\n", - (plus ? "+" : "-"), file_host, - (file_user ? file_user : ""))); - file_lines_free(lines); - return (plus ? True : False); - } - } - } - } - } - - file_lines_free(lines); - return False; -} - -/**************************************************************************** -check for a possible hosts equiv or rhosts entry for the user -****************************************************************************/ - -static BOOL check_hosts_equiv(struct samu *account) -{ - uid_t uid; - char *fname = NULL; - - fname = lp_hosts_equiv(); - if (!sid_to_uid(pdb_get_user_sid(account), &uid)) - return False; - - /* note: don't allow hosts.equiv on root */ - if (fname && *fname && uid != 0) { - if (check_user_equiv(pdb_get_username(account),client_name(),fname)) - return True; - } - - return False; -} - - -/**************************************************************************** - Check for a valid .rhosts/hosts.equiv entry for this user -****************************************************************************/ - -static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - struct samu *account = NULL; - if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username, - &account))) { - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) - nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; - } - - if (check_hosts_equiv(account)) { - nt_status = make_server_info_sam(server_info, account); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(account); - } - } else { - TALLOC_FREE(account); - nt_status = NT_STATUS_NOT_IMPLEMENTED; - } - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_hostsequiv_security; - (*auth_method)->name = "hostsequiv"; - return NT_STATUS_OK; -} - - -/**************************************************************************** - Check for a valid .rhosts/hosts.equiv entry for this user -****************************************************************************/ - -static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - struct samu *account = NULL; - pstring rhostsfile; - const char *home; - - if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username, - &account))) { - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) - nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; - } - - home = pdb_get_unix_homedir(account); - - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - become_root(); - if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { - nt_status = make_server_info_sam(server_info, account); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(account); - } - } else { - TALLOC_FREE(account); - } - unbecome_root(); - } else { - TALLOC_FREE(account); - nt_status = NT_STATUS_NOT_IMPLEMENTED; - } - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_rhosts_security; - (*auth_method)->name = "rhosts"; - return NT_STATUS_OK; -} - -NTSTATUS auth_rhosts_init(void) -{ - smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts); - smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv); - return NT_STATUS_OK; -} -- cgit